Create multiple tunnels between a VNet and an on-premises site with automatic failover

Question

Create multiple tunnels between a VNet and an on-premises site with automatic failover

Lê Vũ Thùy Dương 36

We are currently using a site-to-site VPN connection between Azure and my on-premiese VPN. We want to create one more site-to-site VPN connection between them, how can between tunnels have automatic failover when a tunnel is disconnected. Is it possible to use static route or can only use BGP?

1 answer

Your answer

Answer 1

Andriy Bilous 12,076 MVP Volunteer Moderator

Hello @Lê Vũ Thùy Dương

Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN connection.

To provide better availability for your cross premises connections you can create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs will establish S2S VPN tunnels to your on-premises VPN device, as shown the following diagram:
In this configuration, each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection.

Azure VPN Gateway support multiple tunnels between a VNet and an on-premises site with automatic failover based on BGP
This capability provides multiple tunnels (paths) between the two networks in an active-active configuration.

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview

Lê Vũ Thùy Dương 36 Reputation points

2021-10-06T02:00:00.533+00:00

Hi @Andriy Bilous

Our on premise VPN is currently using a static route, is there any way I can continue to use a static route for the second tunnel between them. If one of the tunnels is disconnected, the traffic automatically shifts to the remaining tunnels.
Can we use active-active configuration for this case?
Andriy Bilous 12,076 Reputation points MVP Volunteer Moderator

2021-10-06T04:41:13.097+00:00

In Active-active configuration you will need to configure your on-premises VPN device to accept or establish two S2S VPN tunnels to those two Azure VPN gateway public IP addresses.
As Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device may favor one tunnel over the other. For a single TCP or UDP flow, Azure attempts to use the same tunnel when sending packets to your on-premises network. However, your on-premises network could use a different tunnel to send packets to Azure.
Lê Vũ Thùy Dương 36 Reputation points

2021-10-06T06:47:12.637+00:00

Hi @Andriy Bilous

As far as I understand:
"If I just want to create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs will establish S2S VPN tunnels to my single on-premises VPN device, BGP is not required for this configuration.
For this configuration, I just have to keep the Enable active-active mode: Enabled in my VPN gateway.
The active-active mode is available for all SKUs except Basic."

1) BGP is not required for this configuration. => What routing protocol can I use, can I use static route?
2) If using a static route, when one of the tunnels is disconnected, will traffic automatically shifts to the remaining tunnels?
Andriy Bilous 12,076 Reputation points MVP Volunteer Moderator

2021-10-06T07:13:51.99+00:00

1) If you just want to create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs will establish S2S VPN tunnels to your single on-premises VPN device, BGP is not required for this configuration.
2) It depends on your router model, if it supports VPN tunnel liveness detection
Lê Vũ Thùy Dương 36 Reputation points

2021-10-06T07:18:51.73+00:00

Thank you so much, @Andriy Bilous ! Your answer is very helpful to me.

Regards,
Duong Le

Share via

Create multiple tunnels between a VNet and an on-premises site with automatic failover

1 answer

Your answer